preetamnath/two-pass-review
skills/two-pass-review/SKILL.md
Two-pass code review: a `code-reviewer` pass followed by an adversarial `verifier` pass. Use for final review of completed code changes or any code review where a false positive would cost the user real time. Do NOT use for non-code artifacts or for quick spot-checks during iteration.
$ install --global
skillsauthnpx skillsauth add preetamnath/agent-skills two-pass-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 12, 2026, 6:57 AM132.7s1 file scanned
SKILL.md
- name:
- two-pass-review
- description:
- Two-pass code review: a `code-reviewer` pass followed by an adversarial `verifier` pass. Use for final review of completed code changes or any code review where a false positive would cost the user real time. Do NOT use for non-code artifacts or for quick spot-checks during iteration.
Two-Pass Review
A reusable review protocol that produces high-confidence findings on code changes by running a code-reviewer pass followed by an adversarial verifier pass. All output conforms to the Output Schema below.
When to use
For code review where you'd present findings to the user and a false positive costs real time (final review of a completed change, pre-merge audit). Don't present unverified findings for non-trivial code reviews — always run both passes.
For non-code artifacts (PRDs, plans, prose), spawn reviewer directly — this skill is hard-wired to code-reviewer for Pass 1.
Protocol
Pass 1 — Review
Spawn the code-reviewer agent with:
- Artifact: the file(s) or diff to review
- Criteria: what to review against
- Scope: what's in-bounds
- Output contract: "Return a ReviewOutput envelope (see Output Schema). Set verdict and evidence to null on all findings. Populate checks_run with what you evaluated (e.g., criteria names, file paths checked)."
Collect its output (ReviewOutput with P0-P3 findings + checks_run).
Auto-progression:
- Zero P0/P1 findings → terminate after Pass 1. Present the clean result with
checks_runso the user can see what was evaluated. - One or more P0/P1 findings → proceed automatically to Pass 2. No user prompt.
Pass 2 — Verify
Spawn the verifier agent with:
- Artifact: same as Pass 1
- Findings: the reviewer's full output (Finding array)
- Criteria: same as Pass 1
- Output contract: "For each finding, set verdict to confirmed/demoted/rejected and provide evidence. Severity may be adjusted up under
confirmedor down underdemoted. Return a ReviewOutput envelope with the full findings array (verdicts populated). Add any new observations as new findings with their own IDs (continuing the sequence) — but first check whether the observation is a re-discovery of an existing finding; if so, modify the existing finding instead of appending. Populate checks_run."
Collect its output (ReviewOutput with verdicts + new observations).
Present to user
Show:
- P0/P1 findings — confirmed and demoted-to-P0/P1. Mark demotions clearly (e.g., "demoted from P0 → P1") and promotions clearly (e.g., "promoted from P2 → P1") so the user can see the verifier's adjustment.
- Summary count — "X of Y P0/P1 confirmed, W demoted, Z rejected"
- P2/P3 findings — confirmed and demoted-to-P2/P3 (briefly, as FYI)
- New observations from the verifier (if any)
All-rejected case: If the verifier rejected every reviewer finding, do not present this as a clean review. Surface it explicitly: show the rejected findings with verifier reasoning, flagged as "reviewer/verifier disagreement — sanity-check the verifier's rejections before treating this as clean."
Do NOT show rejected findings (other than the all-rejected case) or unverified P2/P3s unless the user asks.
Output Schema
<!-- source: references/finding-schema.md -->Finding
Finding {
id: sequential number starting from 1,
severity: "P0" | "P1" | "P2" | "P3",
title: short title,
body: detailed explanation with evidence,
file: file path or null for global issues,
line_start: number or null,
line_end: number or null,
confidence: 0.0-1.0,
criterion: what was violated,
verdict: "confirmed" | "demoted" | "rejected" | null,
evidence: reasoning for verdict | null
}
ReviewOutput
Findings are wrapped in a ReviewOutput envelope:
ReviewOutput {
schema_version: "v1",
findings: Finding[],
checks_run: string[]
}
Severity calibration
- P0 — Must fix: breaks functionality, security breach, data loss, or violates criteria
- P1 — Fix before shipping: correct but incomplete, fragile, or reliability risk
- P2 — Should fix: quality issue, code smell, not blocking
- P3 — Nice to have: observation, style, minor improvement
Field notes
confidence— 1.0 means certain, below 0.5 means you're guessing. Be honest.criterion— required for P0/P1 findings. Name the specific criterion violated.verdict— populated by the verifier in two-pass review. Set tonullwhen producing findings directly.evidence— verifier's reasoning for the verdict. Set tonullwhen producing findings directly.checks_run— list every criterion evaluated, file path checked, or acceptance criterion verified. For ACs, useAC-N: PASS — [evidence]orAC-N: FAIL — [reason].
Related Skills
preetamnath/vet-fact
development
VerifiedTrustedCommunity
Judge whether a candidate fact earns a durable-doc line: keep only what a future agent would get the wrong answer without; cut anything derivable from code, setup, breadcrumb, or a restated default. TRIGGER when: user asks 'does this belong in CLAUDE.md / a rule / the docs', 'is this worth keeping/writing down', 'should this be a comment'; vetting or pruning a fact before it's filed or shaped.
2SKILL.mdUpdated Jun 13, 2026
preetamnath/refine-file
testing
VerifiedTrustedCommunity
Audit one instruction file by composing the durable-instruction lenses over it — vet-fact (WORTH: does each fact earn a line?), place-fact (PLACE: is it in the right home?), tighten-instruction (SHAPE: tighten the line). Pick the subset the file needs: shape-only, worth+shape, or worth+place+shape. A misplaced fact can be relocated to its right home on your approval, or deferred for a durable-docs-update batch. TRIGGER when: user wants a skill file or durable doc (CLAUDE.md, a rule, ARCHITECTURE.md) audited for what to keep, where it belongs, and how it reads; user says 'refine/audit this file', 'prune and tighten this doc', 'what here is worth keeping'. For shape-only tightening, tighten-file is the leaner sibling.
2SKILL.mdUpdated Jun 13, 2026
preetamnath/place-fact
development
VerifiedTrustedCommunity
Route a kept fact to its durable home by delivery trigger and most-local-wins — across in-file comment, nested CLAUDE.md, path-scoped rule, root CLAUDE.md, ARCHITECTURE.md, or a skill. TRIGGER when: user asks 'where should this go', 'which file/rule/home does this belong in', 'is this in the right place', 'should this be a pointer'; placing or re-homing a fact already judged worth keeping.
2SKILL.mdUpdated Jun 13, 2026
preetamnath/write-plan
development
VerifiedTrustedCommunity
Sequence a locked spec into dependency-ordered, wave-grouped tasks. TRIGGER when: user says 'build the plan' or 'sequence this'; a spec needs slicing into parallel-safe waves.
2SKILL.mdUpdated Jun 12, 2026